[Snort-users] Problem with acquiring traffic

Alex Adamos alexthakidadam at ...125...
Sun Feb 24 12:46:34 EST 2013




> Date: Sat, 23 Feb 2013 14:12:43 -0500
> From: wkitty42 at ...14940...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Problem with acquiring traffic
> 
> On 2/23/2013 13:58, Alex Adamos wrote:
> > Hello!!
> >
> > i wrote my own preprocessor to track flows to a webserver and determine whether
> > the server is under a slow http DoS attack. Now i want to test my preprocessor
> > and see "how many fish i can get" (greek one, :p)!! I've installed Snort in an
> > Ubuntu virtualBox Guest (the Host is a Windows7). To automate the tests i wrote
> > a bash script that every time starts Snort (with a different configuration for
> > my preprocessor) and starts the attack/s. So the Snort installation and the
> > attacker/s should be on the same machine. For this reason, I thought that i
> > should capture traffic from the lo interface. But so far, i can't get any of the
> > attacker's packets.
> 
> are you sending to/from 127.0.0.1? if not, there's nothing on lo to see...
> 
> 

Doesn't anyone have an idea?? All i want is Snort to capture traffic 
from the lo interface. Until now i cannot see any packets coming if i 
send them from the localhost (guest machine 127.0.0.1) to the same 
machine's web server (localhost 127.0.0.1).

I've attached a 
screenshot from tcpdump. This is the traffic from lo interface when i'm 
not sending any packets from a slowhttp-tool. Always, i can see a 
connection opening from a different port from localhost to localhost's 
port 80, then closing, and then opening another one...I can't understand
 what's happening!!!
Furthermore, tcpdump catches the attacking packets in the lo interface.

in snort.conf: 
ipvar HOME_NET 127.0.0.1

> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130224/450314dc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcpdump.png
Type: image/png
Size: 257343 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130224/450314dc/attachment.png>


More information about the Snort-users mailing list